Header graphic for print

Government Contractor Compliance & Regulatory Update

Renewed OFCCP Voluntary Self-Identification of Disability Form Now Available

Posted in Federal Contractors, OFCCP

Earlier today, the Office of Federal Contract Compliance Programs (OFCCP) announced that the Office of Management and Budget renewed the voluntary self-identification form for individuals with disabilities for an additional three years. This renewed Voluntary Self-Identification of Disability form is exactly the same as the prior form, except that it has a new expiration date of January 31, 2020.  Even so, federal contractors should start using this renewed form immediately.

The Voluntary Self-Identification of Disability form invites job applicants and employees voluntarily to self-identify as being an individual with a disability. The information collected on the self-identification form should be used by covered federal government contractors in determining that they have satisfied the utilization goal established by OFCCP and in conducting data analytics in connection with their affirmative action plans.

Trump Administration Will Retain LGBT Protections for Government Contractor Employees

Posted in Discrimination, OFCCP

Although the first eleven days of the Trump Administration have been full of activity and controversy, federal government contractors have been waiting to see if President Trump will undo or modify the compliance obligations imposed on them through the numerous Executive Orders issued by President Obama.

This morning (January 31, 2017) the White House announced plans with respect to one of those Executive Orders: Executive Order 11478 (the “Order”), which added sexual orientation and gender identity to the classes protected by Executive Order 11246.  According to the statement, the Order “will remain intact at the direction of President Trump.”  The announcement came the day after the press reported that the Trump Administration was contemplating overturning the Order or adding religious-freedom provisions.  The statement made today is silent on the latter point.

You can find our prior blog posts about the Order and its implementing regulations here and here .

The Department Of Homeland Security Proposes New Rules Affecting Federal Government Contractors

Posted in Employment Law

This week, the Department of Homeland Security (“DHS”) issued three proposed rules expanding data security and privacy requirements for contractors and subcontractors. The proposed rules build upon other recent efforts by various federal agencies to strengthen safeguarding requirements for sensitive government information.  Given the increasing emphasis on data security and privacy, contractors and subcontractors are well advised to familiarize themselves with these new requirements and undertake a careful review of their current data security and privacy procedures to ensure they comply.

  • Privacy Training

DHS contracts currently require contractor and subcontractor employees to complete privacy training before accessing a Government system of records; handling Personally Identifiable Information and/or Sensitive Personally Identifiable Information; or designing, developing, maintaining, or operating a Government system of records. DHS proposes including this training requirement in the Homeland Security Acquisition Regulation (“HSAR”) and to make the training more easily accessible by hosting it on a public website.  By including the rule in the HSAR, DHS would standardize the obligation across all DHS contracts.  The new rule would require the training to be completed within thirty days of the award of a contract and on an annual basis thereafter.

DHS invites comment on the proposed rule. In particular, DHS asks commenters to offer their views on the burden, if any associated with the requirement to complete DHS-developed privacy training.  DHS also asks whether the industry should be given the flexibility to develop its own privacy training.  Comments must be submitted on or before March 20, 2017.

  • Information Technology Security Awareness Training

DHS currently requires contractor and subcontractor employees to complete information technology security awareness training before accessing DHS information systems and information resources. DHS proposes to amend the HSAR to require IT security awareness training for all contractor and subcontractor employees who will access (1) DHS information systems and information resources or (2) contractor owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting controlled unclassified information (“CUI”) (defined below).  DHS will require employees to undergo training and to sign DHS’s Rules of Behavior (“RoB”) before they are granted access to those systems and resources.  DHS also proposes to make this training and the RoB more easily accessible by hosting them on a public website.  Thereafter, annual training will be required.  In addition, contractors will be required to submit training certification and signed copies of the RoB to the contracting officer and maintain copies in their own records.

Through this proposed rule, DHS intends to require contractors to identify employees who will require access, to ensure that those employees complete training before they are granted access and annually thereafter, to provide to the government and maintain evidence that training has been conducted. Comments on the proposed rule are due on or before March 20, 2017.

  • Safeguarding of Controlled Unclassified Information

DHS’s third proposed rule will implement new security and privacy measures, including handling and incident reporting requirements, in order to better safeguard CUI. According to DHS, “[r]ecent high-profile breaches of Federal information further demonstrate the need to ensure that information security protections are clearly, effectively, and consistently addressed in contracts.”  Accordingly, the proposed rule – which addresses specific safeguarding requirements outlined in an Office of Management and Budget document outlining policy on managing government data – is intended to “strengthen[] and expand[]” upon existing HSAR language.

DHS’s proposed rule broadly defines “CUI” as “any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls[,]” including any “such information which, if lost, misused, disclosed, or, without authorization is accessed, or modified, could adversely affect the national or homeland security interest, the conduct of Federal programs, or the privacy of individuals.” The new safeguarding requirements, which apply to both contractors and subcontractors, include mandatory contract clauses; collection, processing, storage, and transmittal guidelines (which incorporate by reference any existing DHS policies and procedures); incident reporting timelines; and inspection provisions. Comments on the proposed rule are due on or before March 20, 2017.

  • Other Recent Efforts To Safeguard Contract Information

DHS’s new rules follow a number of other recent efforts by the federal government to better control CUI and other sensitive government information.

Last fall, for example, the National Archives and Record Administration (“NARA”) issued a final rule standardizing marking and handling requirements for CUI. The final rule, which went into effect on November 14, 2016, clarifies and standardizes the treatment of CUI across the federal government.

NARA’s final rule defines “CUI” as an intermediate level of protected information between classified information and uncontrolled information.  As defined, it includes such broad categories of information as proprietary information, export-controlled information, and certain information relating to legal proceedings.  The final rule also makes an important distinction between two types of systems that process, store or transmit CUI:  (1) information systems “used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency”; and (2) other systems that are not operated on behalf of an agency but that otherwise store, transmit, or process CUI.

Although the final rule directly applies only to federal agencies, it directs agencies to include CUI protection requirements in all federal agreements (including contracts, grants and licenses) that may involve such information.  As a result, its requirements indirectly extend to government contractors.  At the same time, however, it is likely that some government contractor systems will fall into the second category of systems and will not have to abide by the final rule’s restrictions.  A pending FAR case and anticipated forthcoming FAR regulation will further implement this directive for federal contractors.

Similarly, last year the Department of Defense (“DOD”), General Services Administration, and the National Aeronautics and Space Administration issued a new subpart and contract clause (52.204-21) to the FAR “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.”  The provision adds a number of new information security controls with which contractors must comply.

DOD’s final rule imposes a set of fifteen “basic” security controls for covered “contractor information systems” upon which “Federal contract information” transits or resides.  The new controls include: (1) limiting access to the information to authorized users; (2) limiting information system access to the types of transactions and functions that authorized users are permitted to execute; (3) verifying controls on connections to external information systems; (4) imposing controls on information that is posted or processed on publicly accessible information systems; (5) identifying information system users and processes acting on behalf of users or devices; (6) authenticating or verifying the identities of users, processes, and devices before allowing access to an information system; (7) sanitizing or destroying information system media containing Federal contract information before disposal, release, or reuse; (8) limiting physical access to information systems, equipment, and operating environments to authorized individuals; (9) escorting visitors and monitoring visitor activity, maintaining audit logs of physical access, and controlling and managing physical access devices; (10) monitoring, controlling, and protecting organizational communications at external boundaries and key internal boundaries of information systems; (11) implementing sub networks for publically accessible system components that are physically or logically separated from internal networks; (12) identifying, reporting, and correcting information and information system flaws in a timely manner; (13) providing protection from malicious code at appropriate locations within organizational information systems; (14) updating malicious code protection mechanisms when new releases are available; and (15) performing periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

“Federal contract information” is broadly defined to include any information provided by or generated for the federal government under a government contract.  It does not, however, include either:  (1) information provided by the Government to the public, such as on a website; or (2) simple transactional information, such as that needed to process payments.  A “covered contractor information system” is defined as one that is:  (1) owned or operated by a contractor; and (2) “possesses, stores, or transmits” Federal contract information.

EFFECTIVE TODAY: FAR Barring Certain Contractor Confidentiality Agreements

Posted in Federal Acquisitions

Today (January 19, 2017), the Employee Internal Confidentiality Agreements or Statements Federal Acquisition Regulation (the “Rule”) goes into effect.  The Rule prohibits the government from contracting with companies that require employees or subcontractors to sign “internal confidentiality agreements or statements prohibiting or otherwise restricting such employees or subcontractors from lawfully reporting such waste, fraud, or abuse to a designated investigative or law enforcement representative of a Federal department or agency authorized to receive such information.”  The commentary to the Rule explains that “designated” representatives are employees of the applicable agency’s Office of Inspector General.  The Rule applies to all solicitations and contracts (including contracts for Commercial Off-the-Shelf items (“COTS”)) using fiscal year 2015 funds or funds from any subsequent fiscal year.

Going forward, contractors will be required to certify in connection with bids on new contracts or maintenance of existing contracts, that they have no non-compliant confidentiality agreements and will not enter into any non-compliant confidentiality agreements with their employees and subcontractors.  If the contractor represents that it has non-compliant agreements currently in effect, the contractor is ineligible for the new contract.

Excluded from the Rule are “confidentiality agreements arising out of civil litigation and confidentiality agreements that contractor employees or subcontractors sign at the behest of a Federal agency.”  Thus, contractors need not be concerned about settlements entered into during litigation or federally-mandated confidentiality agreements.

Key Takeaways

Contractors should immediately review their existing employee and subcontractor confidentiality agreements to ensure compliance.  To the extent any non-compliant confidentiality agreements exist, contractors should, consistent with guidance in the Rule, issue a notice to existing employees and subcontractors that such agreements, to the extent they conflict with the Rule, are no longer in effect, and have employees and subcontractors sign compliant confidentiality agreements.

Governor Cuomo Signs Executive Order Requiring State Contractors To Report Job Title And Pay Data

Posted in Employment Law, Labor Law

On January 9, 2017, New York Governor Andrew Cuomo signed an Executive Order that requires state contractors to disclose, in addition to data on gender, race, and ethnicity that is already required, job title and salary data for all of their employees working on state contracts (or their entire workforce if those working on state contracts cannot be identified). The Order, “Ensuring Pay Equity By State Contractors,” compels state contractors to disclose this data for all state contracts, agreements, and procurements issued and executed on or after June 1, 2017. Continue Reading

OFCCP Sues Google, Seeking Pay Data

Posted in OFCCP

On January 4, 2017, the Office of Federal Contractor Compliance Programs (OFCCP) sued Google, claiming that the tech giant is illegally withholding information about the compensation it provides its employees.  OFCCP seeks the information as part of an ongoing review of Google’s compliance with the various equal protection laws enforced by the OFCCP.

Continue Reading

Effective January 1, 2017: New Federal Contractor Paycheck Transparency, Independent Contractor Notice, and Paid Sick Leave Obligations

Posted in Department of Labor, Federal Acquisitions, Federal Contractors, OFCCP

On January 1, 2017, new federal contract paycheck transparency, independent contractor notification, and paid sick leave requirements go into effect.  Below we summarize the key elements of these new regulatory requirements.

Continue Reading

Thomas M. Dowd Named OFCCP’s Acting Director

Posted in OFCCP

With Patricia Shiu stepping down as Director of the Office of Federal Contractor Compliance Programs (“OFCCP”) on November 6, 2016, Thomas M. Dowd has been named OFCCP’s Acting Director, effective November 7, 2016.  He will serve until the new Trump Administration’s Secretary of Labor names a permanent director.

Mr. Dowd previously served as OFCCP’s career Deputy Director since 2011.

BREAKING: FEDERAL JUDGE ENJOINS IMPLEMENTATION OF PART OF FAIR PAY AND SAFE WORKPLACES (“BLACKLISTING”) EXECUTIVE ORDER, REGULATIONS, AND GUIDANCE

Posted in Department of Labor, Federal Acquisitions, Federal Contractors, Labor Law

On October 24, 2016, just one day prior to effective date of the Regulations and Guidance implementing the Fair Pay and Safe Workplaces Executive Order (collectively the “Rule”), Judge Marcia Crone of the U.S. District Court for the Eastern District of Texas enjoined the implementation of almost every provision of the Rule.  Specifically, Judge Crone enjoined the implementation of the Rule’s new labor law violation reporting requirements and the Rule’s arbitration agreement restrictions.  Judge Crone declined to enjoin the paycheck transparency provisions, which go into effect on January 1, 2017.

Continue Reading

Challenge To The Fair Pay And Safe Workplaces (“Blacklisting”) Rule To Be Heard On October 21, 2016

Posted in Department of Labor, Federal Acquisitions, Federal Contractors, Labor Law

On October 7, 2016, the first lawsuit challenging the Fair Pay and Safe Workplaces Executive Order (the “Order”) and its Final Rule and Guidance (collectively the “Rule”) was filed in the U.S. District Court for the Eastern District of Texas.  The lawsuit, seeks a preliminary injunction preventing implementation of the Rule, declaratory judgment declaring the Rule invalid, and an order vacating the Rule.  A hearing on the plaintiffs’ motion for preliminary injunction will be heard by District Judge Marcia Crone on October 21, 2016.

Continue Reading